TRNDP014 

CLAIMS 

1 . In a distributed network having a number of server computers and 
associated client devices, method of isolating infected client devices from uninfected 
client devices, comprising: 

correlating network related virus infection information; 

determining if a virus outbreak has occurred based on the correlated 
information; 

isolating infected client devices from uninfected client devices when the virus 
outbreak is confirmed; 

monitoring all data packets in the network for the virus; 
identifying a packet type associated with the virus; and 
blocking only the identified packet type. 

2. A method as recited in claim 1 , the monitoring comprises: 
wherein when a network virus or worm is detected, 

switching to a second mode by a virus monitor such that only those 
data packets infected by the detected computer virus or computer worm 
are not returned to the network. 

3. A method as recited in claim 2, further comprising: 
forwarding to a virus/worm analyzer unit coupled to the network 

computer virus/worm sensor only those data packets deemed to be 
infected by the identified computer virus or computer worm are. 
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4. A method as recited in claim 3, wherein in the first mode, 
copying by the traffic controller substantially all data packets 
included in the network traffic; and 

forwarding the copied data packets to the virus/worm analyzer 

unit. 

5. A method as recited in claim 4, comprising: 
forwarding the copied data packet to a packet protocol 

determinator; and 

determining if the packet protocol of the copied data packet is one 
likely to be infected by the detected computer virus or computer worm. 

6. A method as recited in claim 5, further comprising: 
receiving at a trash collector those copied data packets determined 

to be of a protocol not likely to be infected by the detected computer 
virus or computer worm; and 

receiving and analyzing those copied data packets determined to be 
of a protocol likely to be infected by the detected computer virus or 
computer worm at a filescan unit. 

7. A method as recited in claim 6, further comprising: 
determining by a virus/worm analyzer unit if those copied data 

packets received at the filescan unit are infected by the detected 
computer virus or computer worm; 
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forwarding those packets determined not to be infected to the trash 
collector; 

analyzing the infected copied data packets; and 

generating a virus report based upon the analysis. 

8. In a distributed network having a number of server computers and 
associated client devices, computer program product for isolating infected client 
devices from uninfected client devices, comprising: 

computer code for correlating network related virus infection information; 
determining if a virus outbreak has occurred based on the correlated 
information: 

computer code for isolating infected client devices from uninfected client 
devices when the virus outbreak is confirmed; 

computer code for monitoring all data packets in the network for the virus; 
computer code for identifying a packet type associated with the virus; 
computer code for blocking only the identified packet type; and 
computer readable medium for storing the code. 

9. Computer program product as recited in claim 8, the monitoring 
comprises: 

wherein when a network virus or worm is detected, 

computer code for switching to a second mode by a virus monitor 

such that only those data packets infected by the detected computer virus 

or computer worm are not returned to the network. 
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10. Computer program product as recited in claim 9, further 
comprising: 

computer code for forwarding to a virus/worm analyzer unit 
coupled to the network computer virus/worm sensor only those data 
packets deemed to be infected by the identified computer virus or 
computer worm are. 

1 1. Computer program product as recited in claim 10, wherein in 
the first mode, copying by the traffic controller substantially all 
data packets included in the network traffic; and 
computer code for forwarding the copied data packets to the 
virus/worm analyzer unit. 

12. Computer program product as recited in claim 1 1, 
comprising: 

computer code for forwarding the copied data packet to a packet 
protocol determinator; and 

computer code for determining if the packet protocol of the copied 
data packet is one likely to be infected by the detected computer virus or 
computer worm. 

13. Computer program product as recited in claim 12, further 
comprising: 
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computer code for receiving at a trash collector those copied data 
packets determined to be of a protocol not likely to be infected by the 
detected computer virus or computer worm; and 

computer code for receiving and analyzing those copied data 
packets determined to be of a protocol likely to be infected by the 
detected computer virus or computer worm at a filescan unit. 

14. Computer program product as recited in claim 13, further 
comprising: 

computer code for determining by a virus/worm analyzer unit if 
those copied data packets received at the filescan unit are infected by the 
detected computer virus or computer worm; 

computer code for forwarding those packets determined not to be 
infected to the trash collector; 

computer code for analyzing the infected copied data packets; and 
computer code for generating a virus report based upon the analysis. 
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